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Abstract. The Probabilistic I/O Automata (PIOA) framework of Lynch, 
Segala and Vaandrager provides tools for precisely specifying protocols 
and reasoning about their correctness based on implementation relation- 
ships between multiple levels of abstraction. 

We enhance this framework to allow the analysis of protocols that use 
cryptographic primitives. For this purpose, we propose new techniques 
for handling nondeterministic behaviors, expressing computationally hard- 
ness assumptions, and for proving security in a composable setting. 


1 Introduction 


The task of modeling and analyzing of cryptographic protocols is typically com- 
plex, involving many subtleties and details, even when the analyzed protocols are 
simple. This causes security analysis of cryptographic protocols to be susceptible 
to errors and omissions (see [1-3] for instance). Our goal is to present a method 
for analyzing cryptographic protocols rigorously and systematically in a com- 
posable framework, while taking into account computational issues regarding 
cryptographic primitives. 

This work is most closely related to the efforts of Backes, Pfitzmann and 
Waidner [4,5], and of Lincoln, Mateus, Mitchell, Mitchell, Ramanathan, Scedrov 
and Teague [6,7]. The main conceptual difference between these works and the 
current one lies in the way we handle nondeterminism, as we will see below.! 


* Canetti is supported by NSF CyberTrust Grant #430450; Cheung by DFG/NWO bi- 
lateral cooperation project 600.050.011.01 Validation of Stochastic Systems (VOSS); 
Kaynar and Lynch by DARPA/AFOSR MURI Award #F49620-02-1-0325, MURI 
AFOSR Award #SA2796PO 1-0000243658, NSF Awards #CCR-0326277 and 
##CCR-0121277, and USAF, AFRL Award #FA9550-04-1-0121; Pereira by the Bel- 
gian National Fund for Scientific Research (FNRS); and Segala by MURST project 
Constraint-based Verification of reactive systems (CoVer). 

1 A detailed comparison of our framework with the one of Backes & al. [4] is available 
in [8, 9]. 
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2 Task-PIOAs 


PIOAs Our approach is based on an extension of the Probabilistic I/O Au- 
tomata (PIOA) framework developed in the concurrency semantics research 
community [10,11]. Briefly, a PIOA is a kind of abstract automaton. It includes 
states, start states, input, output, and internal actions. Each action has an as- 
sociated set of transitions, which go from states to probability distributions on 
states. PIOAs are capable of expressing both probabilistic choices and nondeter- 
ministic choices. PIOAs that model individual components of a system may be 
composed to yield a PIOA model for the entire system. 


Task-PIOAs Traditionally, centralized, perfect-information schedulers are used 
to resolve nondeterministic choices in a PIOA. Such a scheduler has full knowl- 
edge about the past execution and is too powerful for computational analysis 
of security protocols: it might provide covert channels by scheduling actions of 
adversarial components as a function of secrets of protocol parties. To address 
this issue, we propose a distinction between high- and low-level nondetermin- 
ism. High-level nondeterminism refers to the adversarially observable events, for 
instance, message transmission on the network. This type of nondeterminism, 
which is standard in the cryptographic community, is algorithmically resolved 
by the automaton representing the adversary. Low-level nondeterminism refers 
to the ordering of events that are not controlled by adversarial components, e.g., 
internal or output transitions of protocol parties. As observed in the concurrency 
community, this type of nondeterminism is quite useful in protocol specification: 
by leaving the ordering of events unspecified whenever possible, we reduce the 
amount of inessential details (the so-called “clutters”) contained in our mod- 
els. This often simplifies correctness proofs involving implementation relations. 
More importantly, the resulting correctness statement is more general, because 
it is valid no matter how the nondeterministic choices are resolved in a real-life 
implementation. Thus, an implementer has more freedom to make design deci- 
sions based on the specific context in which the protocol is used (e.g., hardware 
and network characteristics). We think that capturing and separating these two 
types of nondeterminisms is an aspect in which our approach differs from all 
existing cryptographic frameworks. 

To resolve low-level nondeterminism in a consistent manner, we extend the 
PIOA framework with a new task mechanism, obtaining task-PIOAs as detailed 
in [8]. Basically, a task-PIOA is a pair (P, R) where P is a classical PIOA and 
R is an equivalence relation on internal and output actions of P. Each equiv- 
alence class of R is called a task, and we require that tasks satisfy the action 
determinism axiom, which states that, given a state and a task of a task-PIOA, 
there is at most one (probabilistic) action of that task that is enabled in that 
state. We use tasks to abstract from the actual state variables of the proto- 
col parties: for instance, a task will be “send first protocol message”, without 
reference to a specific message content. Given this task mechanism, we define 
schedulers as simply an arbitrary sequence of tasks, called a task scheduler. The 
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action determinism property of tasks guarantees that specifying a task scheduler 
for a given task-PIOA resolves all nondeterministic choices and defines a purely 
probabilistic execution. 


Time-bounded Task-PIOAs The security of cryptographic protocols typ- 
ically relies on the assumption that certain problems cannot be solved with 
nonnegligible probability by resource bounded entities. In order to capture these 
bounds, we define time-bounded task-PIOAs [9]. Basically, a task-PIOA T is b- 
time-bounded if, assuming a standard bit representation, (i) all its components 
(state, actions, tasks, ...) can be represented as bit strings of length at most b, 
(ii) there is a Turing machine that can decide in time at most b if a bit string is 
the representation of a task-PIOA component (iii) given a task and a state, there 
is a Turing machine that can determine in time at most b the unique enabled 
action (if there is one), (iv) given a state and an action, there is a Turing ma- 
chine that can compute in time at most b the next state of 7. Furthermore, we 
require that all these Turing machines can be described as bit strings of length 
at most b, given some standard encoding. 

Typically, a computational hardness assumption states that, as the size of 
a problem grows, the success probability of a resource-bounded entity trying 
to solve the problem diminishes quickly. The size of a problem is expressed in 
terms of a security parameter k € N. Accordingly, we define families of task- 
PIOAs indexed by a security parameter: a task-PIOA family T is an indexed set 
{Tk }ken of task-PIOAs. The notion of time bound is also expressed in terms of 
the security parameter; namely, given b : N — R2°, we say that T is b-bounded 
if every Tp is b(k) time-bounded. Also, we say that a family T is polynomial- 
time-bounded if it is bounded by a polynomial function. 


3 Proving Security 


Defining Security We perform security analysis along the lines of Univer- 
sally Composable Security [12] and Reactive Simulatability [5]. Following these 
approaches, the functionality to be achieved by a protocol is described by a task- 
PIOA family F, which typically models a kind of trusted party that computes 
the correct result from given inputs. A protocol P is defined to be secure if, 
for any adversary A that interacts with the protocol, there exists a “simulator” 
S that interacts with the functionality such that no external environment can 
distinguish whether it is interacting with the protocol and A or, with the func- 
tionality and S. In the task-PIOA framework we express this indistinguishability 
notion by saying that the composition of P and A must implement the compo- 
sition of F and S, which we denote by PA <neg,pt F||S. More precisely, the 
<neg,pt implementation relation means that, for every polynomial time-bounded 
environment family € and every polynomial length-bounded task scheduler for 
P\|A\|E, there is a polynomial length-bounded task scheduler for F||S||E such 
that the probabilities that € performs an accept output actions in these two 
systems differ by a negligible amount. An important part of this definition is 
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that it includes the quantifiers on the task-schedulers, that is, we prove secu- 
rity properties for every way to resolve the low-level nondeterminism. In [9], 
we prove convenient properties of the Sneg pt relation; for example, it is tran- 
sitive and is preserved when we compose two <neg,p:-related systems with any 
polynomial-time-bounded task-PIOA family. 


Proving Security In order to prove that two task-PIOA families A and B 
are <neg,pt related, we decompose our security proofs in several steps, as in 
game-based proofs [13, 14]: in order to prove that A <neg,pt B, we prove that 
Ai <negpt *** <neg,pt An, where A; = A and A, = B. The families A; and 
Aj+1 are defined in such a way that, either they are perfectly indistinguishable, 
that is, indistinguishable even by an unbounded environment, or they only differ 
by a small detail corresponding to a computational assumption. 

When À; and À;,1 are perfectly indistinguishable, we prove that A; Sneg,pt 
Aji1 by using a new, sound, simulation relation [8,9]. Even though the form of 
this simulation relation is not usual (for instance, it relates probability distri- 
bution on executions rather than states), this type of proof requires using fairly 
traditional formal methods. 

In order to relate systems that are indistinguishable in a computational sense 
only, we translate computational hardness assumptions in terms of implemen- 
tation relations between task-PIOA families: for instance, for expressing the 
DDH assumption, we define a family DDH, transmitting a triple (g*, g”, g7”), 
a family DDH. transmitting a triple (9°, g”, g*) (where x, y, and z are selected 
randomly), and claim that DDH <negpt DDH2. In [9], we prove for a simi- 
lar case that this formulation style is equivalent to the classical computational 
definition. 

In order to exploit these computational assumptions, we define A; and Aj+1 
in such a way that they can be expressed as C1 || fc and Co||Ifc respectively, where 
Ci Sneg pt C2 is a stated computational assumption and Ifc is polynomial-time- 
bounded (the Ifc family plays the role of the reduction in classical computational 
proofs). Now, the relation A; <neg,pt Aint follows from the composition property 
of the <neg,pt relation. 

As a case-study, we used these techniques in [9] for the analysis of a classical 
Oblivious Transfer protocol [15]. This analysis involves a passive adversary, as 
the OT protocol we consider is only secure in front of this type of opponent. 
This passive adversary is modeled by restricting the task-PIOA describing the 
adversary to only send messages he previously received. Dealing with an active 
adversary would simply correspond to removing this restriction in the adversary 
definition. 


4 Conclusion 


When working on our OT case-study, we found that breaking down our proofs 
into several pieces in order to separate issues of probability from computational 
issues was specially convenient: probability issues can be dealt with using fairly 
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traditional formal methods, while computational issues are concentrated on iso- 
lated pieces, which can be managed independently with traditional cryptographic 
techniques: formulating computational assumptions, and building reductions. 
This should provide a way for people from the formal and computational cryp- 
tography communities to work together on proofs in a single framework. 

We used our task-PIOA framework to establish composable security proofs. 
So, we expect that it can eventually be used to obtain sound abstractions for 
classical cryptographic primitives and protocols. This would allow performing 
sound, symbolic-style, analysis inside our framework: symbolic analysis of cryp- 
tographic protocols based on I/O automata has already been performed in [16]. 

Our plans for the near future include establishing general composition theo- 
rems in the style of [12,5], to model more sophisticate computational assump- 
tions, and to use these results for the analysis of a key exchange protocol. 
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